7.3 KiB
7.3 KiB
IT Asset Governance MVP Plan For This Dashboard Repo
Summary
Implement the IT Center MVP as a new app-owned feature set inside the existing Next.js dashboard, using the current architecture:
organizationsstays the tenant boundary and maps toCompany- business roles (
IT Admin,Helpdesk,Infrastructure,Application,Auditor,Viewer) are modeled as workspace-scoped permission bundles, not as replacements forsystemRole - first release is a
Core RegistryMVP:- master data
- asset register
- asset lifecycle transactions: assign, transfer, return, repair
- movement history
- basic dashboard summaries and risk widgets
This should be built as a new feature family, following the migrated products and users patterns:
feature types -> service -> queries/mutations -> route handlers -> Drizzle.
Key Changes
1. Domain model and tenancy alignment
- Treat
organizationasCompany; keep the existing table and session/org-switcher model. - Add company-scoped master data tables under the selected organization:
sitesdepartmentslocationsemployees
- Add asset domain tables:
assetsasset_movementsasset_repairs
- Keep
Asset UIDimmutable and system-generated. - Keep
Asset Codemutable and history-tracked through movement events. - Store current state on
assets; store every lifecycle change as an append-only movement row.
2. RBAC model for IT Center
- Keep current auth layers:
users.systemRolefor global authority- workspace membership and active workspace session context for tenant authority
- Add a workspace-scoped business-role profile to membership-derived access:
- either a new membership field like
businessRole - or a dedicated per-organization user-access table linked to
user + organization
- either a new membership field like
- Recommended canonical permissions:
master_data:manageasset:readasset:createasset:updateasset:assignasset:transferasset:returnasset:repairasset:auditreport:read
- Map business roles to permission bundles:
IT Admin: full company-scoped accessHelpdesk: assign/transfer/return/readInfrastructure: hardware, warranty, EOS/EOL/EOP, repairApplication: software/license/subscription assetsAuditor: read, audit, export/report readViewer: read-only
- Keep server-side enforcement in route handlers and page guards; nav remains UX-only.
3. Feature/module structure in this repo
Create a new feature family under src/features/assets/ and sibling dashboard routes under src/app/dashboard/:
src/features/assets/api/types.tsapi/service.tsapi/queries.tsapi/mutations.tscomponents/schemas/
- Add dashboard routes:
/dashboard/assets/dashboard/assets/[assetId]/dashboard/assets/assign/dashboard/assets/transfer/dashboard/assets/return/dashboard/assets/repair/dashboard/assets/history
- Add master-data routes/pages, either grouped under
/dashboard/master-data/*or/dashboard/assets/settings/*sitesdepartmentslocationsemployees
- Reuse existing patterns:
PageContainer- TanStack Table
- TanStack Form + Zod
- React Query prefetch +
HydrationBoundary - route handlers in
src/app/api/**
4. Backend and workflow design
Implement route handlers for:
- master data CRUD
- asset CRUD
- lifecycle actions as explicit endpoints, not generic updates:
POST /api/assets/[id]/assignPOST /api/assets/[id]/transferPOST /api/assets/[id]/returnPOST /api/assets/[id]/repair
- movement history listing:
GET /api/assets/[id]/movements
- dashboard summary endpoints:
- totals by status
- warranty risk counts
- lifecycle risk counts
- data-quality counts
Behavior rules to lock in:
assignupdates current owner/location fields and insertsASSIGNmovementtransferupdates user/department/location/code as needed and inserts oneTRANSFERmovement with old/new valuesreturnupdates status to one ofIN_STOCK | REPAIR | RETIREDand insertsRETURNrepairinserts repair history and optionally sets statusREPAIR- every lifecycle mutation must write a movement record in the same server transaction
5. UI/navigation and documentation alignment
- Add new sidebar section for
Assets, with visibility based on asset permissions. - Keep
Workspacessemantics unchanged; they still represent company switching. - Add pages in this order for the MVP:
- asset register/list
- asset create/edit
- assign
- transfer
- return
- repair
- movement history
- dashboard summary widgets
- master data CRUD pages
- Update stale docs while implementing:
docs/nav-rbac.mdis legacy Clerk-oriented and should be rewritten to match Auth.js + current session fields- add a new domain glossary doc, preferably
CONTEXT.md, to define:- Organization = Company
- Site
- Department
- Location
- Employee
- Asset UID
- Asset Code
- Movement
- Business Role
Public APIs / Types
- Add new feature contracts in
src/features/assets/api/types.ts:AssetAssetFiltersAssetsResponseAssetMutationPayloadAssetAssignmentPayloadAssetTransferPayloadAssetReturnPayloadAssetRepairPayloadAssetMovementAssetDashboardSummary
- Add master data contracts:
Site,Department,Location,Employee
- Extend workspace-scoped access modeling so session-backed access checks can resolve:
- current workspace business role
- current workspace asset permissions
- Do not overload
systemRolewith business roles.
Test Plan
- Auth and tenancy:
- active organization scopes all master data and assets to one company
- switching organization changes visible assets and master data
- RBAC:
IT Admincan do all asset operations in the active workspaceHelpdeskcan assign/transfer/return but cannot manage system settingsInfrastructurecan repair and manage lifecycle dataAuditorcan read and audit but cannot mutate assetsViewercannot access transactional pages
- Asset lifecycle:
- create asset generates immutable
Asset UID - transfer can change owner, department, location, and asset code
- return updates status and writes movement
- repair writes repair history and status changes correctly
- create asset generates immutable
- History and risk:
- every lifecycle action creates a movement row
- warranty/EOS/EOL/EOP widgets count the right assets
- data-quality widgets flag missing user/location/serial/warranty
- UI:
- new nav items appear only for permitted roles
- asset list, detail, and transaction flows follow the repo’s React Query hydration pattern
Assumptions and Defaults
organizationsremains the canonical tenant table and meansCompany.- MVP phase 1 is the
Core Registryonly;Audit, advancedReports, mobile scanning, approvals, and external integrations stay phase 2+. - Business roles are workspace-scoped permission bundles layered on top of the current Auth.js + membership model.
- Hardware and software assets can share one
assetstable in MVP, usingassetTypeandassetCategoryfields, unless later scale forces separation. - Movement history is the audit trail of lifecycle changes; it is not full event sourcing.